Android bug leaves nearly all devices open to attack

Now there’s an Android bug which pretty much affects all Android devices. It’s occurs when an MMS arrives with a specially crafted video file. A software library called Stagefright will generate a preview of the video and, even without user input, it’ll trigger malicious code to run within your handset. Older devices are particularly susceptible, but pretty much all devices using Android 2.2 to 5.1 are affected. Those running Android 4.1 and above will still see the problem, but it’ll occur within a sandboxed environment so that private data can’t be accessed.

Although the vulnerability has been flagged by Zimperium Labs, Google only paid a $1,337 bounty for finding it, even though billions of devices are affected. Seems a bit miserly doesn’t it? Zimperium Labs even went on to create a patch to fix this, which Google have added to the Android code, but due to the rather slow and crap way that OS updates trickle down to network devices, it’ll probably only appear in the next brand new phone you buy.

The exploit is set to be demonstrated at the upcoming Black Hat and DEF CON security conference.